Refactor HAProxy configuration and certificate management

- Updated HAProxy configuration template to reflect changes for the Taurus Production Environment, including SSL settings and rate limiting for specific endpoints.
- Introduced new playbooks for certificate distribution and validation with OCI Vault, ensuring certificates are correctly managed and renewed.
- Added hooks for uploading renewed certificates to OCI Vault and validating their integrity.
- Enhanced the HAProxy configuration playbook to ensure proper service management and verification of the HAProxy service.
- Updated inventory variables for certificate management and ensured compatibility with the new structure.

ansible/certbot/cert-distribute.yml

@@ -0,0 +1,87 @@
+---
+# -----------------------------------------------------------------------------
+# Certificate Distribution Playbook
+# -----------------------------------------------------------------------------
+# Pulls certificates from OCI Vault (uploaded by bootes certbot) and
+# deploys them directly to target hosts for HAProxy/service TLS termination.
+#
+# Each target host defines its certificates in host_vars:
+#   certbot_distributed_certs:
+#     - cert_name: corvus.helu.ca
+#       cert_path: /etc/haproxy/certs/corvus.helu.ca.pem
+#
+# Run from fornax:
+#   ansible-playbook certbot/cert-distribute.yml
+#
+# Deployed as a weekly cron job on fornax.
+# Can also be run manually after ad-hoc certificate renewals.
+# -----------------------------------------------------------------------------
+
+- name: Distribute certificates from OCI Vault to target hosts
+  hosts: ubuntu:debian
+  gather_facts: false
+
+  handlers:
+    - name: reload haproxy
+      become: true
+      ansible.builtin.systemd:
+        name: haproxy
+        state: reloaded
+      when: "'haproxy' in services | default([])"
+
+  tasks:
+    - name: Skip hosts without distributed certificates
+      ansible.builtin.meta: end_host
+      when: certbot_distributed_certs is not defined
+
+    - name: Ensure cert directory exists
+      become: true
+      ansible.builtin.file:
+        path: "{{ certbot_distributed_certs[0].cert_path | dirname }}"
+        state: directory
+        owner: root
+        group: root
+        mode: '0755'
+
+    - name: Deploy certificate from OCI Vault
+      become: true
+      ansible.builtin.copy:
+        content: |
+          {{ lookup('oci_secret', item.cert_name | replace('.', '-') + '-fullchain', vault_id=oci_vault_id) }}
+          {{ lookup('oci_secret', item.cert_name | replace('.', '-') + '-privkey', vault_id=oci_vault_id) }}
+        dest: "{{ item.cert_path }}"
+        owner: root
+        group: root
+        mode: '0640'
+      loop: "{{ certbot_distributed_certs }}"
+      loop_control:
+        label: "{{ item.cert_name }}"
+      no_log: true
+      notify: reload haproxy
+
+    - name: Verify deployed certificates are valid PEM
+      become: true
+      ansible.builtin.command:
+        cmd: openssl x509 -noout -checkend 0 -in {{ item.cert_path }}
+      register: _cert_check
+      loop: "{{ certbot_distributed_certs }}"
+      loop_control:
+        label: "{{ item.cert_name }}"
+      changed_when: false
+
+    - name: Show certificate expiry dates
+      become: true
+      ansible.builtin.command:
+        cmd: openssl x509 -noout -subject -enddate -in {{ item.cert_path }}
+      register: _cert_info
+      loop: "{{ certbot_distributed_certs }}"
+      loop_control:
+        label: "{{ item.cert_name }}"
+      changed_when: false
+
+    - name: Log certificate status
+      ansible.builtin.debug:
+        msg: "{{ item.item.cert_name }}: {{ item.stdout }}"
+      loop: "{{ _cert_info.results }}"
+      loop_control:
+        label: "{{ item.item.cert_name }}"